LDAPDomainDump

LDAPDomainDump is a Python tool for extracting and analyzing Active Directory information via LDAP. It queries domain controllers to enumerate users, computers, groups, policies, and trust relationships, exporting results in multiple formats for both interactive analysis and scripting workflows.

Installation

Via pip

pip install ldapdomaindump

From GitHub

git clone https://github.com/dirkjanm/ldapdomaindump.git
cd ldapdomaindump
pip install -r requirements.txt
python setup.py install

Verify Installation

ldapdomaindump --help

Quick Start

Basic Domain Dump

ldapdomaindump -u 'DOMAIN\username' -p 'password' ldap://192.168.1.10

With LDAPS (SSL/TLS)

ldapdomaindump -u 'DOMAIN\username' -p 'password' ldaps://192.168.1.10

Using Null Session

ldapdomaindump -u '' -p '' ldap://192.168.1.10

Authentication Methods

Option	Usage	Example
`-u`	Domain username	`-u 'DOMAIN\user'` or `-u 'user@domain.com'`
`-p`	Password	`-p 'password123'`
`-at NTLM`	NTLM hash authentication	`-at NTLM -hashes lm:nt`
LDAP (unencrypted)	ldap:// protocol	`ldap://10.0.0.5`
LDAPS (SSL/TLS)	ldaps:// protocol	`ldaps://10.0.0.5`
Anonymous	Empty credentials	`-u '' -p ''`

Output Files Generated

LDAPDomainDump creates multiple files for each data type:

File	Format	Purpose
`domain_users.html`	HTML report	Interactive user enumeration
`domain_users.json`	JSON data	Programmatic parsing
`domain_users.grep`	Grep-friendly	CLI text processing
`domain_computers.html`	HTML report	System inventory
`domain_computers.json`	JSON data	Machine enumeration
`domain_computers.grep`	Grep-friendly	OS/patch analysis
`domain_groups.html`	HTML report	Group memberships
`domain_groups.json`	JSON data	Membership parsing
`domain_groups.grep`	Grep-friendly	Group extraction
`domain_policy.html`	HTML report	Password policies
`domain_policy.json`	JSON data	Policy data
`domain_policy.grep`	Grep-friendly	Policy attributes
`domain_trusts.html`	HTML report	Forest/domain trusts
`domain_trusts.json`	JSON data	Trust relationships
`domain_trusts.grep`	Grep-friendly	Trust enumeration

Output Formats

HTML Reports

Open in browser for interactive exploration:

firefox domain_users.html
# Sort by columns, search, view descriptions

JSON for Scripting

Parse with tools like jq:

jq '.users[] | select(.userAccountControl | contains("NORMAL_ACCOUNT"))' domain_users.json

Grep-Friendly Format

Process with grep, awk, sed:

grep "ADMIN" domain_groups.grep

Output Directory and Format Options

Specify Output Directory

ldapdomaindump -u 'DOMAIN\user' -p 'pass' -o /tmp/dump ldap://10.0.0.5

Disable Unwanted Formats

# HTML only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-json --no-grep ldap://10.0.0.5

# JSON only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-html --no-grep ldap://10.0.0.5

# Grep only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-html --no-json ldap://10.0.0.5

Custom Field Delimiter

ldapdomaindump -u 'DOMAIN\user' -p 'pass' -d '|' ldap://10.0.0.5
# Changes delimiter from default to pipe character

Useful Grep Queries

Find Domain Administrators

grep "Domain Admins" domain_groups.grep
grep -i "admin" domain_users.grep

Find Disabled Accounts

grep "DISABLED" domain_users.grep

Password Never Expires

grep "DONT_EXPIRE_PASSWORD" domain_users.grep

Extract Description Fields (Common Loot Location)

grep "Description:" domain_users.grep
grep -i "password\|pwd\|pass" domain_users.grep

Find Stale Accounts (Old lastLogon)

grep "1601\|1980\|2000" domain_users.grep
# Look for ancient timestamps

Service Accounts

grep -i "svc\|service\|managed service" domain_users.grep

Computer Inventory

grep "Windows Server" domain_computers.grep
grep "Windows 10" domain_computers.grep
grep "Server 2019" domain_computers.grep

Common Options

Option	Usage
`-u`	Username (domain\user format)
`-p`	Password
`-o`	Output directory (default: current)
`-r`	Referral host for multi-domain environments
`-at NTLM`	Authentication type (NTLM)
`-hashes`	LM:NT hashes instead of password
`--no-html`	Skip HTML report generation
`--no-json`	Skip JSON export
`--no-grep`	Skip grep-friendly format
`-d`	Field delimiter for grep output
`--dns-tcp`	Use TCP for DNS queries

Loot Analysis Workflow

1. Browser-Based Review

# Open HTML reports in browser
firefox domain_users.html
firefox domain_groups.html
firefox domain_policy.html

2. Extract Data with jq

# Get all user emails
jq -r '.users[] | .mail' domain_users.json | grep -v null

# Find users without password expiration
jq -r '.users[] | select(.userAccountControl | contains("DONT_EXPIRE_PASSWORD")) | .sAMAccountName' domain_users.json

# List all privileged groups
jq -r '.groups[] | select(.sAMAccountName | contains("Admin")) | .cn' domain_groups.json

3. CLI Processing with Grep

# Find nested group memberships
grep -E "^cn=.*,cn=Users" domain_groups.grep

# Extract computer names and OS
awk -F'|' '{print $1,$3}' domain_computers.grep

# Search descriptions for sensitive info
grep -i "backup\|password\|key\|secret" domain_users.grep

4. Cross-Reference Analysis

# Find users in sensitive groups
for group in "Domain Admins" "Enterprise Admins" "Schema Admins"; do
  echo "=== $group ==="
  grep "$group" domain_groups.grep
done

Integration with Other Tools

Feed to BloodHound

# Combine ldapdomaindump JSON with BloodHound ingestor
# Export users and groups to BloodHound format for visualization

Combine with CrackMapExec

# Use ldapdomaindump to enumerate, then spray with CME
cme smb 10.0.0.0/24 -u 'user' -p 'pass' --shares

Enrich Impacket Workflows

# Use enumerated usernames with GetNPUsers.py
python GetNPUsers.py -usersfile users.txt DOMAIN/

Parse for BloodHound CSV

# Convert JSON output to BloodHound ingestor CSV format
jq -r '.users[] | [.cn, .memberOf[]] | @csv' domain_users.json

Troubleshooting

Connection Refused

# Verify LDAP port is open
nmap -p 389,636 10.0.0.5

# Check firewall rules blocking LDAP
# Try LDAPS on 636 instead: ldaps://10.0.0.5

Invalid Credentials

# Verify username format (DOMAIN\user or user@domain.com)
# Test with known valid account
# Check if account is locked or disabled

Timeout Issues

# Increase query timeout (depends on domain size)
# Try connecting directly to a specific DC
# Reduce scope with custom queries if supported

Permission Denied

# Some objects may require higher privileges
# Try with Domain Admin or Enterprise Admin account
# Verify user has LDAP read permissions

No Output Generated

# Verify LDAP connection successful
# Check output directory permissions
# Try specifying explicit output directory: -o /tmp/ldap_dump

Best Practices

Use encrypted connections (LDAPS on port 636) when possible to avoid credential sniffing
Test with null sessions first to determine what anonymous LDAP access reveals
Archive results for offline analysis and comparison across time
Cross-reference outputs between different formats to verify data integrity
Sanitize sensitive data before sharing reports with third parties
Document enumeration scope (date, credentials used, domain targeted)
Monitor for detection - LDAP enumeration may trigger security alerts in mature environments
Combine with other tools - use results as input for attack chain planning
Review descriptions carefully - often contain passwords, notes, legacy system info
Track stale accounts - old accounts may still have high privileges

Tool	Purpose
windapsearch	LDAP enumeration alternative with different output options
ADFind	Windows-based AD enumeration (Windows only)
ldapsearch	OpenLDAP CLI tool for manual queries
enum4linux-ng	Multi-protocol enumeration including LDAP
BloodHound	AD visualization and attack path analysis
CrackMapExec	Multi-protocol post-exploitation framework
Impacket	Python toolkit with AD/LDAP utilities
PowerView	PowerShell-based AD enumeration